Archives for October 2015

Microsoft’s much anticipated new operating system, Windows 10, was released at the beginning of August, receiving initial praise from many. It is indeed a fine Operating System, it could be the best iteration of Windows to date. Unfortunately, since launch, a number of reviewers have raised numerous well-founded major privacy worries.

Cortana and Bing

Central to the new Windows 10 “experience” are Microsoft’s integrated Cortana and Bing search features, many of which are made possible only by collecting large amounts of user data.

Cortana is Microsoft’s answer to Apple’s Siri, and uses an online connection to Microsoft’s systems to provide advanced speech recognition capabilities. In order to improve accuracy, this requires that personalized (although claimed-to-be anonymous) speech data is collected and stored.

As an important aside, you are probably aware that Microsoft acquired Skype, the hugely popular online communication application offering voice, video, IM, file transfer and more. Given the rewriting of Skype’s terms and privacy policies to allow for greatly expanded rights to retain data (more on the specific Skype language below), and when considered within the full context of Window 10 and Microsoft’s greatly expanded new privacy language, topped off by the invasive functionality of Cortana and Bing et al, we suspect there is probably absolutely nothing ‘anonymous’ when you use Windows 10, Skype, Cortana and Bing.

Even more worrying is that in order to provide “a useful service able to respond to your needs”, Cortana by default incorporates your address book contacts, calendar entries, location data, text and touch input, and more, into the heuristic algorithms it uses to predict what information you find useful.

If Microsoft only used personal information and personal data to improve a user’s experience, many of us might accept the trade-off between functionality and privacy. However, Microsoft goes much further. It uses the data it collects to generate a unique advertising ID for each user on each device, which can then be used by developers and ad networks to profile them.

Here are a few reprints of worrying language contained in Microsoft’s new privacy policy statement. In the “Reasons We Share Personal Data” section alone it clearly states that it Microsoft has the right to access all personal details should it feel the need to do so:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;

Protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

Operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

Protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”

Similar themes are echoed in the Skype privacy statement, which reads:

“Some Skype products may be offered via a partner company’s website and/or supported through a partner company that may use your data subject to the terms of its own privacy policy. Microsoft may access, disclose and preserve your data (including your private content, such as the content of your instant messages, stored video messages, voicemails or file transfers) to provide the service or to assist its local partner or the local operator facilitating your communication to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.”

In other words, Microsoft has decided to collect and retain massive amounts of personally identifiable information and to use it for commercial gain and to hand over to 3rd parties (both private and governmental) whenever it feels that it is in its best interest to do so. The only good news we see in any of this for privacy advocates is that Microsoft provides some ability for users to disable the most egregious ways in which Windows 10 collects personal information.

Unfortunately, a technical analysis performed by Ars Technica shows that, even when privacy-threatening settings have been disabled in Windows 10, Microsoft continues to collect information!

Ars founds, for example, that even with Cortana turned off (Settings -> Privacy) and Bing Integration in the Start Menu disabled, whenever a user opens Start and begins typing, a request to www.bing.com is still sent to a file called threshold.appcache, which contains Cortana information. Windows 10 also continues to communicate with Microsoft servers (although the nature of this communication is not clear.)

There is, unfortunately, not much that can be done about this for the time being, although if enough public outcry occurs, then Microsoft may be persuaded to modify its course. Using a VPN religiously may help confuse geolocation telemetry on devices that do not include GPS or 3/4G capabilities (i.e. most laptops and desktop PCs), but this may negatively impact your user experience of Windows.

Windows 10 self-installing

There have also been rumors floating around the internet about Windows 10 automatically downloading as a regular update, and then self-installing itself. These are not true as such, but almost certainly refer to a series of recent updates for Windows 7 and Windows 8.x that add the data collection features found in Windows 10 (discussed above) to earlier versions of the Operating system.

The updates are:

KB3068708 – “introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded.” (This update replaces the earlier, similar KB3068708)

KB3075249 – “adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.”

KB3080149 – “updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded.”

If you have set your system to install updates automatically, then you probably have these privacy-busting updates installed already. To uninstall them go Control Panel -> Programs and Features -> View Installed Updates History. Search for the relevant updates and delete them, then go to Control Panel -> Windows Update -> Change settings, and select one of options that disable automatic installation of updates.

When Windows Update asks to reinstall the update, right-click on it and select “Hide Update” to prevent Windows installing it again.

Returning to Windows 10, the Home edition installs Windows Updates automatically, and there is no way to turn off this feature except by upgrading to the Pro version. This has understandably caused some alarm among privacy advocates, and to add insult to injury, the Windows Update Delivery Optimization (WUDO) system used to download these updates is performed using P2P.

This is great for Microsoft, as it allows the company to distribute large numbers of files simultaneously without putting strain on its servers, but, as with downloading via BitTorrent, this can severely slow down users’ internet connection. Fortunately this “feature” can be disables by turning off “Updates from more than one place” in Windows Update -> Settings.

Wi-Fi Sense

Windows 10 Wi-Fi sharing feature Sense has caused a great deal of uproar as it appears to share your Wi-Fi password with all your Contacts by default. This is something of a red herring, as although Wi-Fi Sense is enabled by default, you must explicitly share every network you join with your friends/social networks.

However, because Wi-Fi Sense is an all-or-nothing affair (i.e. you cannot specify individuals or groups of friends), sharing your network password with friends means sharing it with all your friends (in the same contact group):

“You can’t pick and choose individual contacts. You can only share with groups of contacts. For example, if you share password-protected Wi-Fi networks with your Skype contacts, all your Skype contacts will have Internet access over the networks you share.”

This could be a major security risk for the many of us who accept Friend requests from people we do not know well (or at all!)

Conclusion

Windows 10 seems to be a good operating system, and provides many compelling reasons to upgrade. However, those concerned about privacy should be very careful about jumping on the bandwagon until the many of the privacy issues that have been raised by the new operating system are addressed by Microsoft.

In fact, as the update adding Windows 10 telemetry functions to older versions of Windows demonstrates, even holding back from upgrading may not be sufficient protection against Microsoft’s desire to access your personal data. For those more serious about their privacy, now may the perfect time to consider upgrading (or dual booting) to an open source operating system like Linux.

What the whole business amply demonstrates is that internet security is highly complex issue, and one that requires being continually aware of dangers, and of being responsible about how you use your computer and what information you put on the internet.

VPN is a fantastic technology for providing privacy on the internet, but offers little protection when logging onto Facebook (or other websites) and voluntarily giving away personal information to the internet in general, and when your own Operating System is ratting on you to its manufacturer… so please stay aware and up to date with your devices, websites, and operating systems you are using. As usual we’ll keep you updated with the latest developments on Windows 10 and more.

IronSocket Blog

IronSocket.com welcomes you to our blog, dedicated to keeping you informed of security, privacy and freedom issues rampant in today’s networked world. Our goal is to provide objective commentary on the issues, and to identify the steps to take to protect yourself and your family.

Portable Devices

Legal

REGISTERED NAMES AND TRADEMARKS ARE THE COPYRIGHT AND PROPERTY OF THEIR RESPECTIVE OWNERS.
IronSocket is not affiliated with any game, television, movie, or music publishing and/or distribution company.
Use of this Website constitutes acceptance of the TERMS OF USE and PRIVACY POLICY.